The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel - whm notification

Discussion in 'Security' started by cpwhmsec, Feb 28, 2010.

  1. cpwhmsec

    cpwhmsec Registered

    Joined:
    Feb 28, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    hello

    is it possible get a instant emailnotification ( ip and user agent) when someone log into whm or cpanel?

    apf is installed so i can't install csf
     
  2. southcoastweb

    southcoastweb Member

    Joined:
    Mar 30, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Paranoid as well

    Hi,
    My VPS server has recently been hacked, and i found on a forum that the hacker was boasting on that he accessed my root thorugh weak password.
    (now changed to a 100% strength one)
    He deleted at least 2 of my clients websites (idiot!!).
    Any way I am worried that the hacker still has access to my whm, so i to would like a script to email me on login to WHM or at least some kind of LOG file i can easily read..
    Any Suggestions??
    I am running csf which is now set to high..
    I cannot see any access on the lfd log at the time the hack took place so im guessing it happened through a webpage.
     
  3. southcoastweb

    southcoastweb Member

    Joined:
    Mar 30, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    maybe an answer

    Because i am so paranoid now i have been hunting for an answer to this..

    I have found this elsewhere :-

    If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.

    Server e-mail everytime someone logs in as root

    To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

    At command prompt type:
    pico .bash_profile

    Scroll down to the end of the file and add the following line:

    echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

    Save and exit.

    Set an SSH Legal Message

    To an SSH legal message, SSH into server and login as root.

    At command prompt type:
    pico /etc/motd

    Enter your message, save and exit.
    Note: I use the following message…

    ALERT! You are entering a secured area! Your IP and login information
    have been recorded. System administration has been notified.
    This system is restricted to authorized access only. All activities on
    this system are recorded and logged. Unauthorized access will be fully
    investigated and reported to the appropriate law enforcement agencies

    Im going to try in a bit and i will report back to you.

    :D
     
  4. southcoastweb

    southcoastweb Member

    Joined:
    Mar 30, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    :)

    This worked perfectly for me...

    If anyone uses the ssh to enter root,

    It Flags up a big warning, then it quietly emails me

    access time and ip address they are using to log in.

    Hope this solves your problem.

    I had to install the mail script though on my server as it came up with an error.

    i used:

    Code:
    # yum install mailx
    
    :D
     
  5. JordiCS

    JordiCS Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Catalonia, EU
    cPanel Access Level:
    Root Administrator
    Hello,

    This SSH alert method is good if you don't have CSF installed, but this way you are not being alerted when someone accesses WHM. If you have CSF, it is very easy to configure it for sending you alerts in both cases. On its configuration page, look for:

    # Send an email alert if anyone logs in successfully using SSH
    # Send an email alert if anyone accesses WHM via root

    and set them to 1.

    Regards,
     
Loading...

Share This Page